How to Set Up Team Roles and Permissions Across Your Ad Accounts

Learning how to set up agency team roles is the single highest-leverage operations task you can do this quarter, and it takes less time than the next client onboarding. The payoff is permanent: every team member scoped to exactly the accounts and actions their job requires, every change attributable to a named person, and a shared password that no longer exists to leak. This guide is the step-by-step version, from your first invite to verifying isolation before anyone touches a live campaign.

If you want the case for why this matters before you build it, our companion piece on why shared logins are killing your ad agency covers the stakes. This article is purely the how.

Before You Start: Map People to Roles

Do not open the invite screen yet. The most common mistake is inviting people first and figuring out their access afterward, which always ends with someone over-permissioned — and over-permissioning is no small risk, with the majority of breaches still tied to compromised credentials and human error (Verizon DBIR, 2024). Spend fifteen minutes mapping your team to roles on paper, because the mapping is the hard part and the clicking is the easy part.

Wevion provides seven roles. Here is the quick reference for who gets what:

• Super Admin and Admin hold the keys: workspace configuration, team management, and account connections. Two or three people total.
• Owner carries scoped ownership of a workspace or client relationship and its settings.
• Manager coordinates the team's work on the accounts they oversee.
• Media Buyer creates, edits, and optimizes campaigns on assigned accounts. This is most of your team.
• Finance sees billing and spend without campaign-editing rights.
• Viewer reads performance and reports with no ability to create, edit, or pause.

Write each person's name next to a role, and for buyers, list the specific client accounts they should be scoped to. Keep the list. You will work through it in the next steps.

Step 1: Connect Your Ad Accounts First

Roles are only meaningful once there are accounts to scope them against. Connect your ad accounts through official OAuth for each platform you run, whether that is Meta, Google, TikTok, Taboola, or Snapchat. Wevion connects through each platform's official API and OAuth flow, so you are authorizing access the sanctioned way rather than sharing platform passwords.

Connect every client account you intend to assign before you invite the team. This matters because you want to scope each buyer to real accounts on their first login, not invite them into an empty workspace and backfill access later. For agencies running many accounts, our guide to managing multiple Facebook ad accounts covers the consolidation step in depth.

Step 2: Invite Members With Their Role Attached

Now open team management and send invites by email. The key detail: you assign the role at the moment of invitation, so the permission travels with the invite. The new member never lands in a default high-access state waiting for you to lock it down.

For each person on your map, send the invite with the role you assigned. The member receives the email, creates their own individual login, and sets up two-factor authentication on their own account. At no point does anyone exchange a shared password. Repeat down your list until every team member has an invite out.

A practical sequencing tip: invite your Admins and Owners first and have them confirm their own access before you invite the wider team. That way, if you need a second set of hands to verify scoping, the senior seats are already live.

This invite-with-role pattern also fixes one of the quietest sources of risk in growing agencies: the lingering over-grant. Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element, the kind of error and stale access that builds up when permissions are assigned loosely and never revisited. When every invite carries an explicit role, there is no loose default to drift from, and the access map you wrote in the planning step stays true to reality.

Step 3: Scope Media Buyers to Specific Accounts

This is the step that prevents the most damage, so do it carefully. A Media Buyer should see and act on only the client accounts they are responsible for. A buyer handling clients A, B, and C should have zero visibility into client D.

Go through each Media Buyer seat and confirm the account scope matches your map. The principle is least privilege: every team member has the minimum access needed to do their job on the specific accounts they own, and nothing more. This is not only a security boundary; it is a data-hygiene boundary. A buyer who cannot see client D cannot accidentally edit client D, full stop.

Scoping also keeps your reporting clean. When a buyer's dashboard shows only their accounts, they are not sifting past nine other clients to find their numbers, which means fewer mistakes and faster work. The same scoping logic underpins clean cross-client onboarding, covered in our agency client onboarding guide.

The least-privilege principle is not agency folklore; it is a core security control. The US National Institute of Standards and Technology codifies least privilege in its SP 800-53 framework as a foundational requirement, granting each user only the access their function demands. Applying it to ad accounts simply means a buyer's scope is a list of clients, not a blanket grant. When you size that list to the real job, you remove an entire category of cross-client mistakes before it can happen.

Step 4: Assign Finance and Viewer Seats Deliberately

Two roles get skipped most often, and skipping them is exactly why people end up over-permissioned.

Finance is for the person reconciling spend and invoices. Give them visibility into billing and spend without campaign-editing rights. The instinct to hand the finance person full admin "just so they can see the numbers" is the instinct to break. A Finance seat lets them see everything they need to reconcile without ever being able to pause a live campaign.

Viewer is for everyone who only needs to look: account managers preparing for client calls, analysts building reports, or a client who wants read-only visibility into their own account. A Viewer reads performance and reports and can create, edit, or pause nothing. This single role eliminates the most common over-grant in agencies, which is giving full editing access to people who only need to read.

Go through your remaining team members and assign Finance or Viewer where it fits. By the end of this step, every person on your map has a seat.

Step 5: Verify Isolation Before Going Live

Do not assume the setup is correct. Verify it from the member's perspective, because a permission model you have not checked is a permission model you do not actually have.

Owners and Admins can review what each team member can access, and admin impersonation lets you view the workspace exactly as a given member sees it, without disrupting their active session. Run these checks:

• Confirm a Media Buyer scoped to clients A and C cannot see client B.
• Confirm a Viewer cannot create, edit, or pause anything.
• Confirm Finance sees billing and spend but not campaign editing.
• Confirm only your two or three Admins can manage team membership.

When all four checks pass, your setup is live and verified. For the deeper mechanics of session isolation and the underlying permission structure, our agency team management guide goes one level lower.

Step 6: Make Offboarding a One-Click Habit

The setup is not finished until offboarding is built in. The whole point of individual seats is that removing a person is trivial. When someone leaves, set their seat to inactive. Their access ends immediately, the rest of the team keeps working uninterrupted, no password is rotated and redistributed, and the action history retains what they did while active.

Build this into your standard offboarding checklist alongside the usual steps. The agencies that get burned are the ones where a contractor's access lingers for months because nobody owned the removal. With one-click deactivation, there is no excuse for that gap.

A Note on Plans and Verification

Two-factor authentication should be standard on every seat, and it is worth confirming that each member enabled it during their first login. Role-based seats and 2FA together mean a compromised device exposes only one scoped seat, and you can revoke that one person instantly.

Team seats with role-based permissions are included across Wevion plans, from the permanent free tier and Free at €0 through Starter at €99, Pro at €499, Plus at €1,499 per month or €1,199 billed annually, and Enterprise custom. The 14-day trial lets you run this entire setup, including the verification steps, on a real client account before committing.

The Bottom Line

Setting up team roles is a one-time hour that pays off on every campaign afterward. Map people to roles first, connect accounts, invite with the role attached, scope buyers to specific accounts, assign Finance and Viewer deliberately, verify isolation from the member's perspective, and make offboarding one click. Do those seven steps once and the shared password disappears for good, replaced by a model where every action has a name and every person sees only what their job requires. For the wider set of operational playbooks, visit the agency tools hub, and to choose the platform that hosts all of this, see our best ads management software for agencies roundup.